I pleased to see your query is working; however, it's repeating the same values.

Sorry, I did not explain that there will be 1000's of logs, each with a different value.

Can you show your search, it seems that those numbers and warnings are the same as the example you gave - if that is what it is showing, then that is likely what the data contains. Can you show an example of a couple of messages and your search because the search will work - note that you should not include the eval _raw part, as that is just setting up example test data to show you how the rest of the search can work

index="ifi" appEnvrnNam="ANY" msgTxt="StandardizedAddress SUCCEEDED*"
| eval _raw="Standardizedss SUCCEEDED - FROM: {\"Standardizedss \":\"SUCCEEDED\",\"FROM\":{\"Address1\":\"123 NAANNA SAND RD\",\"Address2\":\"\",\"City\":\"GREEN\",\"County\":null,\"State\":\"WY\",\"ZipCode\":\"44444-9360\",\"Latitude\":null,\"Longitude\":null,\"IsStandardized\":true,\"AddressStandardization\":1,\"AddressStandardizationType\":0},\"RESULT\":1,\"AddressDetails\":[{\"AssociatedName\":\"\",\"HouseNumber\":\"123\",\"Predirection\":\"\",\"StreetName\":\"NAANNA SAND RD\",\"Suffix\":\"RD\",\"Postdirection\":\"\",\"SuiteName\":\"\",\"SuiteRange\":\"\",\"City\":\"GREEN\",\"CityAbbreviation\":\"GREEN\",\"State\":\"WY\",\"ZipCode\":\"44444\",\"Zip4\":\"9360\",\"County\":\"Warren\",\"CountyFips\":\"27\",\"CoastalCounty\":0,\"Latitude\":77.0999,\"Longitude\":-99.999,\"Fulladdress1\":\"123 NAANNA SAND RD\",\"Fulladdress2\":\"\",\"HighRiseDefault\":false}],\"WarningMessages\":[\"This mail requires a number or Apartment number.\"],\"ErrorMessages\":[],\"GeoErrorMessages\":[],\"Succeeded\":true,\"ErrorMessage\":null}"
| rex "StandardizedAddres SUCCEEDED - FROM: (?<event>.*)"
| spath input=event
| rename AddressDetails{}.* as *, WarningMessages{} as WarningMessages
| table Latitude Longitude WarningMessages

Scratch that first line..

Use this

index="ifi" appEnvrnNam="ANY" msgTxt="Standardizess SUCCEEDED - FROM:*"

The _raw=... line is OUR example based on your data to demonstrate the solution. You MUST not include that in YOUR search, as it makes every event equal to that _raw value.

So if I'm not to use 

| eval _raw="StandardizedAddres SUCCEEDED - FROM: {\"StandardizedAddres.................."

Should I use 

| eval msgTxt="StandardizedAddres SUCCEEDED - FROM: {\"StandardizedAddres\":\"SUCCEEDED\",\"FROM\":{\"Address1\":\"123 NAANNA SAND RD\",\"Address2\":\"\",\"City

And do I not include the /?

Thank you it is working; however, it's repeating the same value. The search will be returning 1000's of logs each with a different value and some will not contain a warning message.

Hi @msarkaus 

It looks like you have multiple events with the same content in then? If you have 1000s of events you should probably use something like stats to group them up:

| stats count by Latitude Longitude WarningMessages

🌟 Did this answer help you? If so, please consider:

• Adding karma to show it was useful
• Marking it as the solution if it resolved your issue
• Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

I'm having issues getting this to work.  I posted my  search in a earlier post.

I was told not to use the eval _raw line, I've tried removing it and I have used | eval msgTxt="

and it is still not working. What am I doing wrong? Please help. thanks

Can you post your exact search

When I use | eval msgTxt= I get no results, but if I use | eval _raw it returns the requested data, but it repeats the same values.

index="cif" appEnvrnNam="Production" msgTxt="StandardizedAddressService SUCCEEDED*"

| eval msgTxt="StandardizedAddressService SUCCEEDED - FROM: {\"StandardizedAddressService\":\"SUCCEEDED\",\"FROM\":{\"Address1\":\"123 NAANNA SAND RD\",\"Address2\":\"\",\"City\":\"GREEN\",\"County\":null,\"State\":\"WY\",\"ZipCode\":\"44444-9360\",\"Latitude\":null,\"Longitude\":null,\"IsStandardized\":false,\"AddressStandardizationStatus\":1,\"AddressStandardizationType\":1},\"RESULT\":1,\"AddressDetails\":[{\"AssociatedName\":\"\",\"HouseNumber\":\"123\",\"Predirection\":\"\",\"StreetName\":\"NAANNA SAND RD\",\"Suffix\":\"RD\",\"Postdirection\":\"\",\"SuiteName\":\"\",\"SuiteRange\":\"\",\"City\":\"GREEN\",\"CityAbbreviation\":\"GREEN\",\"State\":\"WY\",\"ZipCode\":\"44444\",\"Zip4\":\"9360\",\"County\":\"Warren\",\"CountyFips\":\"27\",\"CoastalCounty\":0,\"Latitude\":77.0999,\"Longitude\":-99.999,\"Fulladdress1\":\"123 NAANNA SAND RD\",\"Fulladdress2\":\"\",\"HighRiseDefault\":false}],\"WarningMessages\":[],\"ErrorMessages\":[],\"GeoErrorMessages\":[],\"Succeeded\":true,\"ErrorMessage\":null}"

| rex "\"Latitude\"\s*:\s*(?<Latitude>-?\d+\.\d+)"

| rex "\"Longitude\"\s*:\s*(?<Longitude>-?\d+\.\d+)"

| rex "\"WarningMessages\"\s*:\s*\[\s*\"(?<WarningMessages>[^\"]*)"

| table _time Latitude Longitude WarningMessages

Do NOT use eval for anything to set any value to "StandardizedAddressService bla bla bla"

That is data that I understand is coming from your event - when you make that eval statement you are setting a field called msgTxt (in your example) to the value you give it.

What is the name of your field that contains that phrase in your index=... search 

You should extract the "event" field using the rex statement specifying the field you want to extract from, e.g

| rex field=msgTxt blablabla

and then just use the original SPL I posted at the beginning

| spath input=event
| rename AddressDetails{}.* as *, WarningMessages{} as WarningMessages
| table Latitude Longitude WarningMessages

after that.

If you get something unexpected, add some more fields to the table statement at the end to show what those fields are

I have used the rex field=msgTxt but I keep getting errors. I'm sorry but I've worked on this for hours, and nothing seems to work. I'm still pretty new to Splunk and this is not in my skill-set.

Maybe I should start over..

However, the results I'm looking for have slightly changed. The field or log that contains my results are located in msgTxt 

and I would like to pull both  Latitude/Longitude values and the WarningMessages.  The field has Latitude and Longitude listed twice. Most of the time the first set will return 0's and the log will always be in this format.

The log looks like this:

StandardizedAddressService SUCCEEDED - FROM: {"Address1":"63 Somewhere NW ST","Address2":null,"City":"OKLAND CITY","County":null,"State":"OK","ZipCode":"99999-1111","Latitude":97.999,"Longitude":-97.999,"IsStandardized":false,"AddressStandardizationStatus":0,"AddressStandardizationType":0} RESULT: 1 | {"AddressDetails":[{"AssociatedName":"","HouseNumber":"63","Predirection":"NW","StreetName":"Somewhere","Suffix":"ST","Postdirection":"","SuiteName":"","SuiteRange":"","City":"OKLAND CITY","CityAbbreviation":"OKLAND CITY","State":"OK","ZipCode":"99999","Zip4":"1111","County":"Oklahoma","CountyFips":"40109","CoastalCounty":0,"Latitude":97.999,"Longitude":-97.999"Fulladdress1":"63 Somewhere NW ST","Fulladdress2":"","HighRiseDefault":false}],"WarningMessages":[],"ErrorMessages":[],"GeoErrorMessages":[],"Succeeded":true,"ErrorMessage":null}

I'm hoping to see the following results:

Latitude    Longitude   Latitude   Longitude    WarningMessages

99.2541     -25.214       99.254     -25.214        NULL

00.0000     -00.000        99.254     -21.218       NULL

00.0000     -00.000       00.000    -00.000        Error message with something

The results for all of the phrases will be different and I will be searching through1000's of logs.

If it's too much work to show both set of the Latitude/Longitude values, then the second set would work.

Your help is greatly appreciated.. 

Thanks

Thank you the solution you provided worked.. I appreciate your patience and willingness to help me.